aLength=6846128, = mLastLength and equals to not initialized int value... #0 nsGenericDOMDataNode::SetTextInternal (this=0x68b848, aOffset=0, aCount=6846128, aBuffer=0x43b7e010, aLength=6846128, aNotify=1) content/base/src/nsGenericDOMDataNode.cpp:358 #1 0x40dfa39c in nsGenericDOMDataNode::ReplaceData (this=0x68b848, aOffset=0, aCount=6846128, aData=<value optimized out>) content/base/src/nsGenericDOMDataNode.cpp:352 #2 0x40e2904c in nsTextNode::ReplaceData (this=0x68b848, offset=0, count=6846128, arg=@0x43b7e010) content/base/src/nsTextNode.h:70 #3 0x41027058 in nsTextEditRules::HideLastPWInput (this=0x68b550) editor/libeditor/text/nsTextEditRules.cpp:1479 #4 0x41027488 in nsTextEditRules::WillDeleteSelection (this=0x68b550, aSelection=0x68bc08, aCollapsedAction=0, aCancel=0xbe81cfe0, aHandled=0xbe81cfdc) editor/libeditor/text/nsTextEditRules.cpp:980 #5 0x41028a18 in nsTextEditRules::WillDoAction (this=0x68b550, aSelection=0x68bc08, aInfo=0x1, aCancel=0x43b7e010, aHandled=0xbe81cfdc) editor/libeditor/text/nsTextEditRules.cpp:340 #6 0x41023a4c in nsPlaintextEditor::DeleteSelection (this=0x68b460, aAction=0) editor/libeditor/text/nsPlaintextEditor.cpp:753 #7 0x41027c08 in nsTextEditRules::WillInsertText (this=0x68b550, aAction=2000, aSelection=<value optimized out>, aCancel=0xbe81d3bc, aHandled=0xbe81d3b8, inString=0xbe81d65c, outString=0xbe81d2f0, aMaxLength=-1) editor/libeditor/text/nsTextEditRules.cpp:605 #8 0x41028978 in nsTextEditRules::WillDoAction (this=0x68b550, aSelection=0x68bc08, aInfo=<value optimized out>, aCancel=0xbe81d3bc, aHandled=0xbe81d3b8) editor/libeditor/text/nsTextEditRules.cpp:338 #9 0x410237f4 in nsPlaintextEditor::InsertText (this=0x68b460, aStringToInsert=@0xbe81d65c) ---Type <return> to continue, or q <return> to quit--- editor/libeditor/text/nsPlaintextEditor.cpp:797 #10 0x40cda8d8 in nsTextControlFrame::SetValue (this=0x68a938, aValue=<value optimized out>) layout/forms/nsTextControlFrame.cpp:2689 #11 0x40cdabfc in nsTextControlFrame::SetFormProperty (this=0x68a938, aName=<value optimized out>, aValue=@0xbe81d854) layout/forms/nsTextControlFrame.cpp:1896 #12 0x40eb9520 in nsHTMLInputElement::SetValueInternal (this=0x689868, aValue=@0xbe81d854, aFrame=<value optimized out>, aUserInput=1) #9 0x410237f4 in nsPlaintextEditor::InsertText (this=0x68b460, aStringToInsert=@0xbe81d65c) at /home/bifh5/fremantle-arm-prereleased.cs2007q3/work/microb-engine-20091218-1.9.2/editor/libeditor/text/nsPlaintextEditor.cpp:797 797 in /home/bifh5/fremantle-arm-prereleased.cs2007q3/work/microb-engine-20091218-1.9.2/editor/libeditor/text/nsPlaintextEditor.cpp (gdb) p ruleInfo $8 = {<nsRulesInfo> = {_vptr.nsRulesInfo = 0x41663cc0, action = 2000}, inString = 0xbe81d65c, outString = 0xbe81d2f0, outputFormat = 0x0, maxLength = -1, collapsedAction = 1, bOrdered = 0, entireList = 0, bulletType = 0x0, alignType = 0x0, blockType = 0x0, insertElement = 0x0} (gdb) p ruleInfo.inString $9 = (const nsAString_internal *) 0xbe81d65c (gdb) p *ruleInfo.inString $10 = {mData = 0x59bbe0, mLength = 15, mFlags = 65541} (gdb) p *ruleInfo.outString $11 = {mData = 0x59bbe0, mLength = 15, mFlags = 65541} (gdb)

Not sure is it security problem for 1.9.2? should we fix it for 1.9.2?

Comment on attachment 419012 [details] [diff] [review] Initialize mLastStart, and mLastLength IMHO this should land on the 1.9.2.x branch too. (I think it's only the length that really needs initialisation.)

mLastStart also can be used without initialization. Fixed http://hg.mozilla.org/mozilla-central/rev/6ba4460d6140